Don’t Get Hooked by Vishing Attacks

You are currently viewing Don’t Get Hooked by Vishing Attacks

Cybercriminals are motivated and creative, which is not a great pairing for their victims. Just when we know what to watch out for, there’s something new to worry about. Right now, voicemail phishing (vishing) attacks are on the rise. Find out more about vishing and what you can do about it.

First, a reminder: phishing refers to bad actors sending fraudulent emails. They use social engineering to get you to reveal personal or sensitive information. For example, employees might get an email that looks like it’s from your IT team. It might ask them to renew their access credentials in the next 24 hours, but they need to enter their existing credentials into an online form to make the change.

💡READ MORE:  6 Ways to Combat Social Phishing Attacks

Vishing also relies on social engineering – it targets our impulse to trust or help – but vishing does this using voicemail. Cybercriminals use this approach to attack individuals and businesses, and they aim to obtain the information they need to perpetrate further crimes.

How does vishing work?

Cybercriminals prepare in advance to make vishing more convincing. They’ll call from what looks like a local number, and you’ll be more likely to answer. They learn enough about their victim or the organization they claim to be from to appeal to human nature.

A vishing attempt will:

  • use urgency to encourage you to act;
  • leverage false credibility to you they’re legit (e.g., calling from the government, tax department, IT support, or HR);
  • employ persuasive language to make you want to help;
  • take a threatening tone so that your fear you will be arrested or have your bank accounts shut down to override your suspicions;
  • reference current events to tap into your worries (e.g., during the tax season, criminals might spoof tax collection agencies; or during COVID, people were promised testing kits for sharing their bank information).

Avoid falling victim to vishing

Make vishing awareness part of your security training for employees. Communicating how to avoid falling victim can help your business stay safe.

💡READ MORE:  How Often Do You Need to Train Employees on Cybersecurity Awareness?

The number-one rule is to never provide or confirm personal information by phone. A bank, hospital, tax office, or the police will not call you to ask for personal details. And they will definitely not call and try to motivate you to act urgently.

It is also unlikely that your manager or human resources would call you at home to ask you to transfer funds, provide confidential data, or email documents from your account.

Always ask for proof you can use to verify the caller is who they say they are and works where they claim. Look it up if you’re given a number to call to confirm the caller is legit. Call on a different phone to check that it’s a real number.

Stay aware of the latest trends. For instance, a new take on vishing sends emails claiming to share links to voicemail messages on LinkedIn- or WhatsApp-type services. If the recipient clicks on the link, they go to a convincing page (complete with CAPTCHA for added legitimacy) where crooks try to capture their access credentials.

💡READ MORE:  How to Stay Safe While Being Social

This latest iteration of vishing aims to evade your cybersecurity solutions. There’s always something to keep up with. Need help? Hopedale Technologies can set you up for network security success. 

image_pdfimage_print